What You Need to Do in the Wake of Russian Hackers' Massive Data Breach

After an 18-month investigation, a U.S. security firm recently uncovered what's being called the largest security breach in recent history, conducted by a group of Russia-based hackers.

While Minneapolis-based Hold Security discovered that hacker group CyberVor stole 1.2 billion username and password combinations, along with more than 500 million email addresses, the details surrounding the breakdown are a bit unclear: According to Forbes, it's possible that the passwords could have been old data pulled from a previous hack and not a new, undiscovered breach.

What's more, Hold Security is under criticism for charging companies a $120 subscription fee to use a tool that checks whether or not their information was stolen.

Although one might think capitalizing on consumer fear could throw a wrench in the validity of its findings, The New York Times — which first reported on the story — hired an independent security expert to confirm Hold Security's findings. The firm was also behind identifying the data breaches with Adobe Systems and Target, so it has a strong track record.

Regardless of where the incident stands in the "biggest-hack-ever" rankings, major breaches are becoming more common. Even changing your password every day — and who does? — won't truly protect you from becoming a cybercrime victim because it's unclear what individual companies are doing to protect user information on the back end.

"A very low percentage of companies store your passwords well and most don't even know they've been breached at all," Joe Siegrist, CEO and cofounder of LastPass, told Mashable. "Never trust a website with a password you use anywhere else. Even better, you shouldn't know your passwords because that way you can't be phished."

There are a few steps you can take to better protect your accounts from hackers. To avoid being a victim of cybercrime, it's essential that your overall password strategy is in check — a move that's way more important than changing individual passwords as often as you think you should.

Two-factor authentication

To start, consider using two-factor verification for the sites that offer it, such as Google, Amazon, Apple, Twitter and Tumblr. Two-factor verification (or two-factor authentication) is like double-locking your door at night to decrease the chances of an intruder breaking in. Companies that offer this security feature typically send a specialized code in a text message to users' phones each time they want to log in from a new device.

This is an invaluable precaution because it means your second-step password is never the same, and a hacker wouldn't be able to get their hands on the text-messaged code that expires, refreshes every 10 seconds and changes after each login attempt.

Passwords

There's no shortage of articles on strong password tips, but what was once considered strategic and clever — such as using symbols, capitalizations and numbers like 3 in place of the letter "e" — are old tricks. So here's what you need to know now: Use a different password for each account you use — you wouldn't use the same key in all of your locks, so the same goes for passwords.

"Only people who use random unique passwords on every site have reduced their risk from this latest breach — if you re-use passwords you are critically exposed," Siegrist said.

Meanwhile, security firm McAfee suggests avoiding password words that include personal information, like your birthday, pet's name or a favorite color because they're easy for hackers to guess. Passwords should also be long — at least 14 characters — and when you use common replacements (like symbols and letters), make sure they're not tacked on at the end; scatter them throughout.

McAfee recommends using combinations of dictionary words that aren't related to each other, such as “catfolderspaceshuttle” with numbers and symbols, that make it easy to remember and hard to guess. You'll want to avoid common phrases and idioms like “icameisawiconquered,” which are easier to guess.

Password managers

Many companies lay out too many rules during the password-creation process, forcing users to pick a phrase with a certain number of characters, numbers and uppercase letters. While this strengthens passwords, the complicated ones are easy to forget. And since each account should get its own unique password, remembering which complicated should go where is a challenge.

Password managers such as LastPass, Dashlane or F-Secure make it simpler to get into your accounts quickly without racking your brain for which login information goes where. Sign into their service, and your passwords auto-populate when you visit other sites.

"Breaches will continue to happen and sites will continue to store your password insecurely," Siegrist said. "The question you need to ask yourself is would you trust this site to have a copy of your house key. If your house key could be copied instantly and used anywhere in the world by any person in the world, you wouldn't. It's important to give each site a randomly generated password instead."

Browser security

Image: iStockphoto, Tsuji

If you're up for being loyal to specific browsers and don't want to pay for a password-manager subscription, many offer in-built security features such as Apple's iCloud Keychain, which keeps your Safari usernames, passwords and credit card information only on the Macs and iOS devices you approve. This means a hacker trying to access your data remotely won't have any luck. To set it up, click here.

Mashable
is a global, multi-platform media and entertainment company. Powered by its own proprietary technology, Mashable is the go-to source for tech, digital culture and entertainment content for its dedicated and influential audience around the globe.